Like 0
Fork 0

Last active 6 days ago

Korbs's Avatar Korbs revised this gist 6 days ago. Go to revision

1 file changed, 27 insertions

README.md

@@ -33,6 +33,27 @@ Verify installation:
33 33 notation version
34 34 ```
35 35
36 + Setup directories in `.config`:
37 + ```
38 + mkdir -p ~/.config/notation/localkeys/
39 + ```
40 +
41 + Create `signingkeys.json`
42 + ```
43 + {
44 + "default": "DefaultKey",
45 + "keys": [
46 + {
47 + "name": "DefaultKey",
48 + "keyPath": "/home/YOUR_USERNAME/.config/notation/localkeys/sign.key",
49 + "certPath": "/home/YOUR_USERNAME/.config/notation/localkeys/sign.crt"
50 + }
51 + ]
52 + }
53 + ```
54 +
55 + > Keys are copied over during instructions in this Gist.
56 +
36 57 ### Registry Login
37 58
38 59 Login to your Zot Registry:
@@ -52,6 +73,12 @@ Create the certficate file:
52 73 openssl x509 -req -sha256 -days 365 -in sign.csr -signkey sign.key -out sign.crt -extfile (printf "keyUsage=critical,digitalSignature\nextendedKeyUsage=codeSigning" | psub)
53 74 ```
54 75
76 + Copy your keys to notation configuration:
77 + ```bash
78 + cp sign.key ~/.config/notation/localkeys
79 + cp sign.crt ~/.config/notation/localkeys
80 + ```
81 +
55 82 Upload the certificate to your Zot Registry via API:
56 83 ```bash
57 84 curl -u "YOUR_USERNAME:YOUR_API_KEY" --data-binary @sign.crt -X POST "https://registry.example.org/v2/_zot/ext/notation?truststoreType=ca"

Korbs's Avatar Korbs revised this gist 6 days ago. Go to revision

1 file changed, 63 insertions

README.md(file created)

@@ -0,0 +1,63 @@
1 + ## Zot Registry Configuration
2 +
3 + Please enable `notation` as a trust option and API keys:
4 + ```json
5 + ...
6 + "http": {
7 + "auth": {
8 + "apikey": true
9 + }
10 + }
11 + "extensions": {
12 + "trust": {
13 + "enable": true,
14 + "notation": true
15 + }
16 + }
17 + ...
18 + ```
19 +
20 +
21 + ## Notation CLI Setup
22 + ### Installation
23 +
24 + Install the Notation CLI tool:
25 + ```bash
26 + export NOTATION_VERSION=1.3.1
27 + curl -LO https://github.com/notaryproject/notation/releases/download/v$NOTATION_VERSION/notation_$NOTATION_VERSION\_linux_amd64.tar.gz
28 + sudo tar xvzf notation_$NOTATION_VERSION\_linux_amd64.tar.gz -C /usr/local/bin notation
29 + ```
30 +
31 + Verify installation:
32 + ```bash
33 + notation version
34 + ```
35 +
36 + ### Registry Login
37 +
38 + Login to your Zot Registry:
39 + ```
40 + notation login registry.example.org
41 + ```
42 +
43 + ## Generating Certificate Key and Signing
44 +
45 + Create the key:
46 + ```bash
47 + openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -key sign.key -out sign.csr
48 + ```
49 +
50 + Create the certficate file:
51 + ```bash
52 + openssl x509 -req -sha256 -days 365 -in sign.csr -signkey sign.key -out sign.crt -extfile (printf "keyUsage=critical,digitalSignature\nextendedKeyUsage=codeSigning" | psub)
53 + ```
54 +
55 + Upload the certificate to your Zot Registry via API:
56 + ```bash
57 + curl -u "YOUR_USERNAME:YOUR_API_KEY" --data-binary @sign.crt -X POST "https://registry.example.org/v2/_zot/ext/notation?truststoreType=ca"
58 + ```
59 +
60 + Sign an OCI image that is already on your Zot Registry:
61 + ```bash
62 + notation sign registry.example.org/image_name:tag
63 + ```
Newer Older

Powered by Opengist Load: 16ms

English